Merge pull request upbound#100 from phisco/sync-upstream-master

.github/ISSUE_TEMPLATE/patch_release.md

@@ -28,11 +28,14 @@ examples of each step, assuming vX.Y.Z is being cut.
   - [ ] `xp/getting-started-with-aws-with-vpc`
   - [ ] `xp/getting-started-with-azure`
   - [ ] `xp/getting-started-with-gcp`
+- [ ] Confirm the full set of patch versions that will be released and promote them from lowest to highest, so the **highest** version is the **last** to be promoted (e.g. `v1.12.2` should be promoted after `v1.11.3`), in order to avoid the promote workflow overwriting the latest patch release.
 - [ ] Run the [Promote workflow][promote-workflow] with channel `stable` on the `release-X.Y` branch and verified that the tagged build version exists on the [releases.crossplane.io] `stable` channel at `stable/vX.Y.Z/...`.
 - [ ] Published a [new release] for the tagged version, with the same name as the version and descriptive release notes, taking care of generating the changes list selecting as "Previous tag" `vX.Y.<Z-1>`, so the previous patch release for the same minor.
 - [ ] Ensured that users have been notified of the release on all communication channels:
   - [ ] Slack: `#announcements` channel on Crossplane's Slack workspace.
   - [ ] Twitter: reach out to a Crossplane maintainer or steering committee member, see [OWNERS.md][owners].
+  - [ ] LinkedIn: same as Twitter
+- [ ] Remove any extra permissions given to release team members for this release
 
 <!-- Named Links -->
 [ci-workflow]: https://github.com/crossplane/crossplane/actions/workflows/ci.yml

.github/ISSUE_TEMPLATE/release.md

@@ -26,6 +26,7 @@ examples of each step, assuming release vX.Y.0 is being cut.
   - [ ] Created and merged an empty commit to the `master` branch, if required to have it at least one commit ahead of the release branch.
   - [ ] Run the [Tag workflow][tag-workflow] on the `master` branch with the release candidate tag for the next release `vX.Y+1.0-rc.0`.
 - [ ] Opened a [docs release issue].
+- [ ] Checked that the [GitHub milestone] for this release only contains closed issues
 - [ ] Run the [Tag workflow][tag-workflow] on the `release-X.Y` branch with the proper release version, `vX.Y.0`. Message suggested, but not required: `Release vX.Y.0`.
 - [ ] Run the [CI workflow][ci-workflow] on the release branch and verified that the tagged build version exists on the [releases.crossplane.io] `build` channel, e.g. `build/release-X.Y/vX.Y.0/...` should contain all the relevant binaries.
 - [ ] Run the [Configurations workflow][configurations-workflow] on the release branch and verified  that version exists on [xpkg.upbound.io] for all getting started packages.
@@ -39,10 +40,14 @@ examples of each step, assuming release vX.Y.0 is being cut.
 - [ ] Updated, in a single PR, the following on `master`:
   - [ ] The [releases table] in the `README.md`, removing the now old unsupported release and adding the new one.
   - [ ] The `baseBranches` list in `.github/renovate.json5`, removing the now old unsupported release and adding the new one.
+- [ ] Closed the GitHub milestone for this release.
+- [ ] Publish a blog post about the release to the [crossplane blog]
 - [ ] Ensured that users have been notified of the release on all communication channels:
   - [ ] Slack: `#announcements` channel on Crossplane's Slack workspace.
   - [ ] Twitter: reach out to a Crossplane maintainer or steering committee member, see [OWNERS.md][owners].
-- [ ] Request @jbw976 to remove the EOL docs version from Google Search
+  - [ ] LinkedIn: same as Twitter
+- [ ] Request @jbw976 to remove all old docs versions from Google Search
+- [ ] Remove any extra permissions given to release team members for this release
 
 
 <!-- Named Links -->
@@ -58,3 +63,5 @@ examples of each step, assuming release vX.Y.0 is being cut.
 [releases.crossplane.io]: https://releases.crossplane.io
 [tag-workflow]: https://github.com/crossplane/crossplane/actions/workflows/tag.yml
 [xpkg.upbound.io]: https://marketplace.upbound.io/configurations?query=getting-started
+[GitHub milestone]: https://github.com/crossplane/crossplane/milestones
+[crossplane blog]: https://blog.crossplane.io

.github/PULL_REQUEST_TEMPLATE.md

@@ -27,5 +27,6 @@ I have:
 - [ ] Added or updated unit **and** E2E tests for my change.
 - [ ] Run `make reviewable` to ensure this PR is ready for review.
 - [ ] Added `backport release-x.y` labels to auto-backport this PR if necessary.
+- [ ] Opened a PR updating the [docs](https://docs.crossplane.io/contribute/contribute/), if necessary.
 
-[contribution process]: https://git.io/fj2m9
+[contribution process]: https://git.io/fj2m9

.github/renovate.json5

@@ -11,7 +11,7 @@
   "prConcurrentLimit": 5,
 // The branches renovate should target
 // PLEASE UPDATE THIS WHEN RELEASING.
-  "baseBranches": ["master","release-1.10","release-1.11","release-1.12"],
+  "baseBranches": ["master","release-1.11","release-1.12","release-1.13"],
   "ignorePaths": ["design/**"],
   "postUpdateOptions": ["gomodTidy"],
 // By default renovate will auto detect whether semantic commits have been used
@@ -115,6 +115,16 @@
         "google/oss-fuzz"
       ],
       "enabled": false
+    }, {
+      "description": "Still get all patch updates to release branches though",
+      "matchBaseBranches": [ "/^release-.*/"],
+      "matchDatasources": [
+        "go"
+      ],
+      "matchUpdateTypes": [
+        "patch",
+      ],
+      enabled: true,
     }
   ]
 }

.github/workflows/ci.yml

@@ -10,8 +10,8 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.5'
-  GOLANGCI_VERSION: 'v1.53.3'
+  GO_VERSION: '1.20.7'
+  GOLANGCI_VERSION: 'v1.54.0'
   DOCKER_BUILDX_VERSION: 'v0.10.0'
 
   # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run
@@ -30,7 +30,7 @@ jobs:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -84,7 +84,7 @@ jobs:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -130,13 +130,13 @@ jobs:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -156,12 +156,12 @@ jobs:
         run: make vendor vendor.check
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2
         with:
           languages: go
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2
 
   trivy-scan-fs:
     runs-on: ubuntu-22.04
@@ -198,13 +198,13 @@ jobs:
         run: git fetch --prune --unshallow
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -238,7 +238,7 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        area: [lifecycle, pkg, apiextensions]
+        area: [lifecycle, pkg, apiextensions, xfn]
 
     steps:
       - name: Setup QEMU
@@ -247,7 +247,7 @@ jobs:
           platforms: all
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2
         with:
           version: ${{ env.DOCKER_BUILDX_VERSION }}
           install: true
@@ -261,13 +261,13 @@ jobs:
         run: git fetch --prune --unshallow
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -303,13 +303,23 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
 
     steps:
+      - name: Cleanup Disk
+        uses: jlumbroso/free-disk-space@main
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          tool-cache: true
+          large-packages: false
+          swap-storage: false
+
       - name: Setup QEMU
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
         with:
           platforms: all
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2
         with:
           version: ${{ env.DOCKER_BUILDX_VERSION }}
           install: true
@@ -323,13 +333,13 @@ jobs:
         run: git fetch --prune --unshallow
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3

.github/workflows/promote.yml

@@ -13,7 +13,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.5'
+  GO_VERSION: '1.20.7'
 
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
@@ -31,7 +31,7 @@ jobs:
           submodules: true
 
       - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version: ${{ env.GO_VERSION }}
 

.github/workflows/scan.yaml

@@ -131,7 +131,7 @@ jobs:
           retention-days: 3
 
       - name: Upload Trivy Scan Results To GitHub Security Tab
-        uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2
         with:
           sarif_file: 'trivy-results.sarif'
           category: ${{ matrix.image }}:${{ env.tag }}

ADOPTERS.md

@@ -51,3 +51,5 @@ This list is sorted in the order that organizations were added to it.
 | [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/) | @pheianox | Declarative configuration and integration with CI/CD pipelines |
 | [NASA Science Cloud](https://smce.nasa.gov/) | [[email protected]](mailto:[email protected]) ([@rezuma](https://github.com/rezuma)) | [NASA Science Cloud](https://smce.nasa.gov) has created compositions to deploy the Open Science Studio, a jupyterhub based platform that connects to HPC in the cloud and foster NASA Open Science Initiative. Navteca ([@navteca](https://github.com/Navteca)) has been helping NASA with this initiative |
 | [Navteca](https://navteca.com/) | [[email protected]](mailto:[email protected]) ([@navteca](https://github.com/Navteca)) | [Navteca](https://www.navteca.com) is adopting Crossplane to deploy [Voice Atlas](https://www.voiceatlas.com) a cloud based product that let customer connect corporate knowledge with any Large Language Model and offered to be consumed by users through any channel (slack, MS Teams, Website, etc) |
+| [SAP](https://sap.com/) | [[email protected]](mailto:[email protected])| [SAP](https://sap.com) uses Crossplane as part of a solution that gives teams owning micro-services the ability to provision hyper-scaler hosted backing services such as Redis on demand. |
+| [Airnity](https://airnity.com/) | [[email protected]](mailto:[email protected]) | [Airnity](https://airnity.com/) uses Crossplane to deploy a worldwide cellular connectivity platform for the automotive industry. |

Makefile

@@ -33,14 +33,14 @@ GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e
 GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' )
 GO_SUBDIRS += cmd internal apis
 GO111MODULE = on
-GOLANGCILINT_VERSION = 1.53.3
+GOLANGCILINT_VERSION = 1.54.0
 -include build/makelib/golang.mk
 
 # ====================================================================================
 # Setup Kubernetes tools
 
 USE_HELM3 = true
-HELM3_VERSION = v3.12.1
+HELM3_VERSION = v3.12.2
 KIND_VERSION = v0.20.0
 -include build/makelib/k8s_tools.mk
 
@@ -104,10 +104,20 @@ cobertura:
 		grep -v zz_generated.deepcopy | \
 		$(GOCOVER_COBERTURA) > $(GO_TEST_OUTPUT)/cobertura-coverage.xml
 
-e2e-tag-images:
+# TODO(pedjak):
+# https://github.com/crossplane/crossplane/issues/4294
+e2e.test.images:
+	@$(INFO) Building E2E test images
+	@docker build --load -t $(BUILD_REGISTRY)/fn-labelizer-$(TARGETARCH) test/e2e/testdata/images/labelizer
+	@docker build --load -t $(BUILD_REGISTRY)/fn-tmp-writer-$(TARGETARCH) test/e2e/testdata/images/tmp-writer
+	@$(OK) Built E2E test images
+
+e2e-tag-images: e2e.test.images
 	@$(INFO) Tagging E2E test images
 	@docker tag $(BUILD_REGISTRY)/$(PROJECT_NAME)-$(TARGETARCH) crossplane-e2e/$(PROJECT_NAME):latest || $(FAIL)
 	@docker tag $(BUILD_REGISTRY)/xfn-$(TARGETARCH) crossplane-e2e/xfn:latest || $(FAIL)
+	@docker tag $(BUILD_REGISTRY)/fn-labelizer-$(TARGETARCH) crossplane-e2e/fn-labelizer:latest || $(FAIL)
+	@docker tag $(BUILD_REGISTRY)/fn-tmp-writer-$(TARGETARCH) crossplane-e2e/fn-tmp-writer:latest || $(FAIL)
 	@$(OK) Tagged E2E test images
 
 # NOTE(negz): There's already a go.test.integration target, but it's weird.
@@ -118,7 +128,7 @@ E2E_TEST_FLAGS ?=
 # https://github.com/kubernetes-sigs/e2e-framework/issues/282
 E2E_PATH = $(WORK_DIR)/e2e
 
-e2e-run-tests: $(KIND) $(HELM3)
+e2e-run-tests:
 	@$(INFO) Run E2E tests
 	@mkdir -p $(E2E_PATH)
 	@ln -sf $(KIND) $(E2E_PATH)/kind
@@ -128,7 +138,7 @@ e2e-run-tests: $(KIND) $(HELM3)
 
 e2e.init: build e2e-tag-images
 
-e2e.run: e2e-run-tests
+e2e.run: $(KIND) $(HELM3) e2e-run-tests
 
 # Update the submodules, such as the common build scripts.
 submodules:
@@ -160,7 +170,7 @@ run: go.build
 	@# To see other arguments that can be provided, run the command with --help instead
 	$(GO_OUT_DIR)/$(PROJECT_NAME) core start --debug
 
-.PHONY: manifests cobertura submodules fallthrough test-integration run install-crds uninstall-crds gen-kustomize-crds e2e-tests-compile
+.PHONY: manifests cobertura submodules fallthrough test-integration run install-crds uninstall-crds gen-kustomize-crds e2e-tests-compile e2e.test.images
 
 # ====================================================================================
 # Special Targets

OWNERS.md

@@ -26,23 +26,24 @@ See [CODEOWNERS](CODEOWNERS) for automatic PR assignment.
 ## Maintainers
 
 * Nic Cope <[email protected]> ([negz](https://github.com/negz))
-* Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))
 * Muvaffak Onus <[email protected]> ([muvaf](https://github.com/muvaf))
 * Hasan Turken <[email protected]> ([turkenh](https://github.com/turkenh))
 * Bob Haddleton <[email protected]> ([bobh66](https://github.com/bobh66))
+* Philippe Scorsolini <[email protected]> ([phisco](https://github.com/phisco))
 
 ## Reviewers
 
 * Yury Tsarev <[email protected]> ([ytsarev](https://github.com/ytsarev))
 * Daren Iott <[email protected]> ([nullable-eth](https://github.com/nullable-eth))
 * Ezgi Demirel <[email protected]> ([ezgidemirel](https://github.com/ezgidemirel))
 * Max Blatt ([MisterMX](https://github.com/MisterMX))
-* Philippe Scorsolini <[email protected]> ([phisco](https://github.com/phisco))
 * Jared Watts <[email protected]> ([jbw976](https://github.com/jbw976))
 * Lovro Sviben <[email protected]> ([lsviben](https://github.com/lsviben))
+* Predrag Knezevic <[email protected]> ([pedjak](https://github.com/pedjak))
 
 ## Emeritus maintainers
 
 * Bassam Tabbara <[email protected]> ([bassam](https://github.com/bassam))
 * Jared Watts <[email protected]> ([jbw976](https://github.com/jbw976))
 * Illya Chekrygin <[email protected]> ([ichekrygin](https://github.com/ichekrygin))
+* Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))

SECURITY.md

@@ -11,6 +11,9 @@ The following security related audits have been performed in the Crossplane
 project and are available for download from the [security folder](./security)
 and from the direct links below:
 
+* A security audit was completed in July 2023 by [Ada
+  Logics](https://adalogics.com/). The full report is available
+  [here](./security/ADA-security-audit-23.pdf).
 * A fuzzing security audit was completed in March 2023 by [Ada
   Logics](https://adalogics.com/). The full report is available
   [here](./security/ADA-fuzzing-audit-22.pdf).